Introduction to AppArmor

If you use Ubuntu or Suse you probably already have Apparmor installed on your system, so take a moment and see how this software can help you.
And also if you don’t use these distributions, this article can be interesting if you are interested at the security of your Linux Box.

AppArmor (“Application Armor”) is a security module for the Linux kernel, released under the GNU General Public License. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).

It was included as of the 2.6.36 version of the mainline Linux kernel. Since 2009, Canonical contributes to the ongoing AppArmor development.

In addition to manually specifying profiles, AppArmor includes a learning mode, in which violations of the profile are logged, but not prevented. This log can then be turned into a profile, based on the program’s typical behavior.

AppArmor is offered in part as an alternative to SELinux, another system that is based on LSM to implement a MAC security model.

Installation

AppArmor is installed and loaded by default in recent versions of Ubuntu and uses application profiles to determine which files and permissions are necessary for the application. Some packages install their own profiles and additional profiles can be found in the package apparmor-profiles.

To install the package apparmor-profiles, in a terminal type:

sudo apt-get install apparmor-profiles

Basic Usage

The apparmor-utils package contains command line utilities that you can use to change the AppArmor execution mode, find the status of a profile, create new profiles, etc.

apparmor_statusis used to view the current status of AppArmor profiles.

sudo apparmor_status

aa-complain places a profile into complainmode.

sudo aa-complain /path/to/bin

aa-enforce places a profile into enforcemode.

sudo aa-enforce /path/to/bin

The /etc/apparmor.d directory is where the AppArmor profiles are located. It can be used to manipulate the modeof all profiles.Enter the following to place all profiles into complain mode:

sudo aa-complain /etc/apparmor.d/*

To place all profiles in enforce mode:

sudo aa-enforce /etc/apparmor.d/*

apparmor_parser is used to load a profile into the kernel. It can also be used to reload a currently loaded profile using the -roption. To load a profile:

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

To reload a profile:

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

/etc/init.d/apparmor can be used to reloadall profiles:

sudo /etc/init.d/apparmor reload

AppArmor can be disabled, and the kernel module unloaded by entering the following:

sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove

To re-enable AppArmor enter:

sudo /etc/init.d/apparmor start
sudo update-rc.d apparmor defaults

Profiles

AppArmor profiles are simple text files located in /etc/apparmor.d/. The files are named after the full path to the executable they profile replacing the “/” with “.”. For example /etc/apparmor.d/bin.ping is the AppArmor profile for the /bin/ping command.

Share — copy and redistribute the material in any medium or format
Adapt — remix, transform, and build upon the material
for any purpose, even commercially.

The licensor cannot revoke these freedoms as long as you follow the license terms.

Under the following terms:

Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.

ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.

No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.